Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Server 2K8R2 Disappearing Folders


  • Please log in to reply
18 replies to this topic

#1 billh01

billh01

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 23 March 2013 - 09:38 AM

Originally posted following in the wrong forum.

Two folder trees (that I'm aware of) appear to be empty. Naturally they're the core shares for the system. When looking at them in Windows Explorer the root folder shows without the + sign indicating the presence of sub-folders, and clicking on that folder nothing appears in the right pane.

A right click on the folders shows that data are there, but it's simply not visible.

After running an AVG scan 61 occurrences of 2 things were found and removed: Worm/Autorun.inf, Trojan Horse Dropper.Generic7.CMLQ

Update - it looks like all folders have been set to Read Only and the ones I asked about originally have also had their System attribute turned on. If I turn off hide protected OS files I can see the folders and their contents but can't change any attributes

OS is Windows Server 2008 R2 Standard SP1

Any help please?

BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:11 AM

Posted 23 March 2013 - 07:28 PM

Hi

 

You may be best to post this in the Windows Server forum here. This is since I believe that not many helpers who help in "Am I Infected" are familiar with Windows Server.


Edited by dev00790, 23 March 2013 - 07:29 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 23 March 2013 - 08:24 PM

Moved it. Thanks for the suggestion.



#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:11 AM

Posted 23 March 2013 - 08:40 PM

Actually. . . as it involves malware. . . this is the proper forum for it. Sorry for any confusion. I have closed your other topic.

billh, as your new topic had a bit more information. . . I have edited your original post in this topic to reflect it.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:11 AM

Posted 23 March 2013 - 09:00 PM

  1. What server Roles do you have installed
  2. Is this a Domain controller
  3. Is it the only Domain controller
  4. Do you have a Back up system in place and a recent image of the system

Please note During the week I am usually extremely busy, If you do not here from me in 24 hours send me a PM. I tend to post allot at night and from my smart phone, please excuse any typos. If you feel any advice is risky, un needed or questionable DON"T DO IT ask me to explain. Its your data were concerned with.


Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#6 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 24 March 2013 - 08:13 AM

  1. What server Roles do you have installed  --- 2 - File Services and Web Server (IIS)
  2. Is this a Domain controller --------------------   No
  3. Is it the only Domain controller---------------- N/A
  4. Do you have a Back up system in place and a recent image of the system --------- Application data & program backups.

Please note During the week I am usually extremely busy, If you do not here from me in 24 hours send me a PM. I tend to post allot at night and from my smart phone, please excuse any typos. If you feel any advice is risky, un needed or questionable DON"T DO IT ask me to explain. Its your data were concerned with.

 

Answers to your questions are embedded above. Machine is essentially running as a file sharing server; one SQL application runs on it; recently added FTP (WingFTP) for remote office large file transmittal


Edited by billh01, 24 March 2013 - 08:16 AM.


#7 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:11 AM

Posted 24 March 2013 - 11:38 AM

When logged into the server are you logged in as Administrator?

 

  1. Right click on the folder and select properties
  2. Select the Securities tab, then advanced, and then Owner
  3. What Owner is listed?

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#8 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 24 March 2013 - 04:03 PM

When logged into the server are you logged in as Administrator? - - -yes

 

  1. Right click on the folder and select properties
  2. Select the Securities tab, then advanced, and then Owner
  3. What Owner is listed? - - - -Administrators Group


#9 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:11 AM

Posted 24 March 2013 - 04:21 PM

Where are these Folders located and what did they contain originally?

 

 

Open The command prompt and use the command.

fsutil usn readdata [insert folder location here]

Please post the results for the folder with the problem.


Edited by Sneakycyber, 24 March 2013 - 05:31 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#10 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 24 March 2013 - 06:12 PM

First folder: e:\libra:

 

Major Version    : 0x2
Minor Version    : 0x0
FileRef#         : 0x0001000000000028
Parent FileRef#  : 0x0005000000000005
Usn              : 0x0000000001b08f50
Time Stamp       : 0x0000000000000000 12:00:00 AM 1/1/1601
Reason           : 0x0
Source Info      : 0x0
Security Id      : 0x0
File Attributes  : 0x10
File Name Length : 0xa
File Name Offset : 0x3c
FileName         : LIBRA
 
Second folder: e:\vol01
 
Major Version    : 0x2
Minor Version    : 0x0
FileRef#         : 0x00030000000000bf
Parent FileRef#  : 0x0005000000000005
Usn              : 0x00000000029d5f60
Time Stamp       : 0x0000000000000000 12:00:00 AM 1/1/1601
Reason           : 0x0
Source Info      : 0x0
Security Id      : 0x0
File Attributes  : 0x10
File Name Length : 0xa
File Name Offset : 0x3c
FileName         : Vol01

 

Recall that all folders on all volumes have been set to read only, and the subfolders in only the 2 folders above have been set to hidden and system. I can see them only if I set the view to not hide  operating system files



#11 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 24 March 2013 - 08:18 PM

Would unhide be appropriate to run on this machine? Compatible w/Win Server 2K8R2?



#12 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:11 AM

Posted 24 March 2013 - 09:23 PM

You can try it, I wont hurt anything. I will look up the syntax for fsutil I lost the page lol. I will post back in a bit.


Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#13 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 25 March 2013 - 05:48 AM

Unhide won't run. Immediately reports it doesn't support WIN2K8R2



#14 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:11 AM

Posted 25 March 2013 - 06:09 PM

Can you Fsutil on the sub folders. Those folders are only tagged as a directory. Not Hidden,or Read only. You can see them and get to the subfolders correct? 


Edited by Sneakycyber, 25 March 2013 - 06:11 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#15 billh01

billh01
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 25 March 2013 - 09:13 PM

Well, now I've lost remote access to the server so no joy on the fsutil. Did a system restore from the last known good backup today and no change, so tomorrow I'm going to pull the trigger on formatting the drive and reloading everything. Client can't wait any longer. I suggested thank you notes instead of paychecks but they don't think that will fly.

 

Thanks very much for the help. I wish we could have taken this to a different conclusion.

 

Bill






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users